The need to evolve defensive security to offensive security

This morning I saw a job offer from Facebook looking for offensive security engineers and I thought it would be a wonderful opportunity to explore this idea and its application in corporate security.

Traditionally information security in enterprises has a defensive role based on different products (firewall, anti-virus, IDS, etc.). But when week after week we read in the media as businesses of all sizes are attacked and owned, something is wrong here!

Internet and its dangers have evolved but corporate security has not: too many companies follow decades old security schemes to protect their information.

As Nation-States develop not only their defensive capabilities but also their offensive capabilities, businesses should also enhance their offensive capabilities, not to attack other companies but to assess their own security effectively.

It is impossible that security consultants / pentesters with a limited time are able to truly verify the security of a company, which unfortunately is the model that most companies follow. No one presses the doctor when operating or the plumber when fixing a problem, but we press all the time security consultants to obtain compressive results in a short space of time.

It is necessary that corporate security evolves with offensive staff who truly understand the attackers (attacker mindset), who are capable of attacking systems and applications and have some freedom to do this in the company. These individuals are who can raise security to the next level.

Their objective is to constantly attack the company using actual techniques to discover the weak points and strengthen them, analyze malware identified in the company and even set traps to the attackers (honeypots). We should not confuse with Counter-Hacking, the idea that if we are attacked we must respond by attacking. No company should use its offensive capabilities to counter attack as this can unleash all kind of problems (legal and ethical). We must only use offensive capabilities internally to improve security, period.

Companies that do not evolve their security to a defensive and offensive model and enhance not only the technology but also its processes and people (the famous pyramid: people, processes, and technologies) are doomed to be owned for lifetime.

2 Responses to The need to evolve defensive security to offensive security

The complaint I hear from the business is that there aren’t enough technical people. However, from the technical side I have been witness to slow-moving hiring processes, fear of training (SANS is expensive and doesn’t train the on-the-job requirements, only the baseline techniques. The problem isn’t just SANS — it’s how you buy SANS/etc and how you view training), and misunderstanding of technical practices. Every leader should read the first chapter of “Gray Hat Hacking, Third Edition”.

All of the above is true, for what its worth — and it’s true for anyone trained in offensive security: not just penetration testers but also responders. I would agree that most skillsets I encounter in security professionals are too specialized either in penetration testing or incident responding: not both. We need strong skills in asset identification to understand its weaknesses and to build honey networks. This third category is actualy called counterintelligence — it takes reverse deception to catch an adversary who utilizes the unintentional or intentional insider concepts. Finally, I would add a fourth skillset: one our adversaries already use as a competitive advantage — data science.

By identifying new, clearly data-driven, cyber offensive capabilities in the wild — especially noting examples such as espionage-driven NetTraveler and destruction-driven Shamoon — we can pick up our pieces and move on, as businesses and as governments.

If you are a business owner, application owner, or worse — an information manager: I encourage you to do what Target’s CIO has done — LEAVE YOUR JOB. GO RETIRE. GO HOME. You aren’t fit to run information in this new environment. Let some younger people handle it. You’re done, old timer!

If you are a security professional: don’t hold on to your existing management — fight the business; fight the owners. Learn the four tenents: penetration testing, incident response, counterintelligence, and data science. Build your skills in these areas by taking new ground through applied research. FIND A TEAM. STAY VETTED BY YOUR TEAM. GO AND SEE WHERE THE PROBLEMS ARE. We can get through these hard times where nobody knows what’s going on besides our adversaries, but we need to take the reins first. Be a leader by contributing!